-2

When updating a form containing an image, the user can't proceed without choosing another img file (it's required to choose another one). So, if the user wants to change only the "name" for example, the update won't work. How to avoid it??

<form class="form-inline" method="POST" enctype="multipart/form-data" action="index.php?menuop=atualiza-bebida">

...

<div class="form-group">
   <h3>Icone Atual:</h3>
   <img src="<?php echo $fetch['icon_drink']?>" height="90" width="90" />
   <input type="hidden" name="previous" value="<?php echo $fetch['icon_drink']?>"/>
   <h3>Alterar ícone:</h3>
   <input type="file" class="form-control" name="arquivo" value="<?php echo $fetch['icon_drink']?>" />
</div>

...

</form>

Atualiza_bebida.php:

<?php
    require_once './conecta-bd.php';
    if(ISSET($_POST['edit'])){
        $id_drink = $_POST['id_drink'];
        $image_name = $_FILES['arquivo']['name'];
        $image_temp = $_FILES['arquivo']['tmp_name'];
        $drink_nome = $_POST['drink_nome'];
        $drink_volume = $_POST['drink_volume'];
        $drink_teor = $_POST['drink_teor'];
        $drink_tipo = $_POST['drink_tipo'];
        $previous = $_POST['previous'];
        $exp = explode(".", $image_name);
        $end = end($exp);
        $name = time().".".$end;
        if(!is_dir("paginas/bebidas/icons-drink-up"))
           mkdir("paginas/bebidas/icons-drink-up");
        $path = "paginas/bebidas/icons-drink-up/".$name;
        $allowed_ext = array("gif", "jpg", "jpeg", "png");
        if(in_array($end, $allowed_ext)){
            if(unlink($previous)){
                if(move_uploaded_file($image_temp, $path)){
                    mysqli_query($conn, "UPDATE `tb_drinks` set `drink_nome` = '$drink_nome', `drink_volume` = '$drink_volume', `drink_teor` = '$drink_teor', `drink_tipo` = '$drink_tipo', `icon_drink` = '$path' WHERE `id_drink` = '$id_drink'") or die(mysqli_error());
                    echo "<script>alert('User account updated!')</script>";
                    header("location: index.php?menuop=drinks");
                }
            }       
        }else{
            echo "<script>alert('Image only')</script>";
        }
    }
?>

I am expecting that the update could work without updating the image.

LSDig
  • 1
  • 2
  • 2
    Your code is vulnerable to SQL injection. Use prepared statements/parameterized queries instead. – GrumpyCrouton Aug 22 '23 at 20:10
  • 1
    As for your question, simply check if `$_FILES['arquivo']` is empty, and it if it is, don't run the code to move the image and don't update it in the database. – GrumpyCrouton Aug 22 '23 at 20:11
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Aug 22 '23 at 21:11
  • Checking if $_FILES['arquivo'] was empty did the trick, thankss :) .. just did a "if ($_FILES['arquivo']['error'] !== 4)" condition, and put all the img vars inside of it, then created another query to other fields. – LSDig Aug 22 '23 at 22:27

0 Answers0